What Do Nonprofits Need to Know Now About Cybersecurity, Viruses, and Phish-Resistant MFA?
Nonprofit Cybersecurity expert and Community IT CTO Matt Eshleman offered his take on these trends. Listen for expert advice on avoiding new computer viruses and making sure your organization is protected from Attacker-in-the-Middle attacks on MFA (Multi-Factor Authentication), particularly for important accounts like your Executive Director and CFO.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Takeaways on Cybersecurity, Computer Viruses, and Phish-Resistant MFA
Fighting Viruses
- Virus attacks have been increasing. These computer viruses are no longer just malware that “infects” your network through an email link or website.
- Bad actors know we are suspicious of links in our email and that these days most malicious emails are stopped from reaching our inboxes. As a work around, they have started sending a document with instructions to open the document with a “secure code” – actually a malicious code. In this way, they trick the victim into running the attack against themselves.
- To resist this attack, always think – if the document you need to open is legitimate, and the person emailing it to you is genuine, they can send you a pdf. You should be very suspicious of any attachment that requires another set of steps to open, particularly executing code on your computer.
- Other ways you may pick up a computer virus: downloading something malicious online. Be careful to double check you are on a legitimate site before downloading anything. Better yet, use the App Store where possible.
- We are also seeing an increase in malicious pop-ups. If a window opens on your computer saying you have a virus, it can be scary. Always contact your own IT provider. Do not follow the directions the pop up is giving you to get “support,” or you will be calling the scammer.
Using Phish-Resistant MFA
- Community IT continues to recommend that all users use a Multi-Factor Authentication method on all accounts.
- Because MFA is so effective, it is not surprising that attackers are trying to work around it. In the past few years Attacker-in-the-Middle attacks have been on the rise. In this attack, the bad guys trick a user into “logging in” in a way that exposes their secure token for the attacker to steal. The attacker can then login as the user from a different device and gain access to anything the user has access to.
- Phish-Resistant MFA, like using a passkey or Microsoft Hello, will only allow the MFA to be authenticated from the device where you are. You can also use a physical key like Ubikey or FIDO, which must be present to allow the login.
- Community IT is recommending at a minimum that all accounts with access to sensitive data such as Executive Director, CFO, maybe Board members, the executive team, should use Phish-Resistant MFA to best protect the organization. Of course, any access to your network is a risk, so where possible, investing in Phish-Resistant MFA for all staff is a good investment.
- Training on Phish-Resistant MFA can lessen the friction or feeling that an extra step is required. Most Phish-Resistant MFA is quick to use and easy to learn. Peace of mind is worth it.
In many ways, these new types of attacks just draw attention to the good work we have been doing in security awareness training for staff and leadership. Compared to a few years ago, nonprofit employees are becoming more and more savvy on the ways to protect our organizations against fraud, theft, data breaches, and other cybercrime.
Community IT hopes that building this culture of care at your organization makes it easier for you to update your staff on new threats and scams through your regular training program. If you have questions on security awareness training, reach out and schedule an assessment with Matt.
Presenters
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Matt Eshleman about cybersecurity, viruses and phish-resistant MFA for nonprofits.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. We don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about recovering from a cybersecurity incident, you shouldn’t have to worry about understanding your provider.
If you have questions about cybersecurity, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript coming soon.
Photo by National Institute of Allergy and Infectious Diseases on Unsplash